[SERVER-18359] authentication operations fail on mongos with auditing enabled Created: 07/May/15  Updated: 18/Apr/16  Resolved: 18/May/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.0.2
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: Andre de Frere Assignee: Amalia Hawkins
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to DOCS-5407 sharded clusters auditing enabled Closed
Operating System: ALL
Steps To Reproduce:
  1. start a mongos and config server
  2. add a user
  3. restart the mongos with --auditDestination, --auditFormat and --auditPath
  4. attempt to authenticate
Participants:

 Description   

If you attempt to authenticate on a mongos node with auditing enabled, the authentication attempt will fail. The logs will indicate an error in authentication:

2015-05-07T05:27:20.715+0000 I ACCESS   [conn2] SCRAM-SHA-1 authentication failed for user on admin from client 127.0.0.1 ; BadValue "impersonatedUsers" is not a valid argument to usersInfo

There does not appear to be any further information in higher verbosity logs.

The audit log just indicates a 18 on the authentication attempt

Additionally, other security or authentication operations are not available is auditing if enabled. Trying to create a user gives a similar error in the shell:

mongos> db.createUser( { user : "user", pwd : "pword", roles : [ { role : "readWrite", db : "test" } ] } )
2015-05-07T05:48:00.359+0000 E QUERY    Error: couldn't add user: "impersonatedUsers" is not a valid argument to rolesInfo
    at Error (<anonymous>)
    at DB.createUser (src/mongo/shell/db.js:1066:11)
    at (shell):1:4 at src/mongo/shell/db.js:1066

Note : it is not necessary to enable --keyFile for this to fail, the authentication attempts will give the above error even when no authentication options are given in the config file/command line options



 Comments   
Comment by Ramon Fernandez Marina [ 18/May/15 ]

Resolving this ticket as "Works As Designed" – see the updated documentation for more details.

Comment by Andre de Frere [ 11/May/15 ]

Issue resolved after enabling auditing on all nodes

DOCS change could be made to make this clear - enabling auditing on mongos requires auditing to be enabled on all mongod

Generated at Thu Feb 08 03:47:25 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.